> We have one group "employees" containing every user (as a
> posixAccount), and another group which splits into different
> organisationalUnits (marketing,development etc.).
> Now we try to authenticate based on the groups:
> [slapd.conf]
> base ou=marketing,ou=groups,dc=mydomain,dc=de
> pam_filter objectclass=posixGroup
> pam_login_attribute memberUid
> Those groups are posixGroups and have a memberUid which is a valid uid
> from the "employees" group.
> Is that going to work? Would 'uniquemember' better suit our needs than
> 'memberUid'? Grateful for every comment,
If you want to restrict access to a service on a PAM enabled OS, I think
it is better to let pam_ldap auth the password and restrict groups, etc...
using the PAM module intended for that purpose, pam_listfile
auth required /lib/security/pam_listfile.so onerr=fail
item=group sense=allow file=/etc/security/login_limit_list.conf
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
where /etc/security/login_limit_list.conf looks something like -
cis
root
sys
adm
informix
Just a list of groups.